Java app as Windows Service w/JGSS+Kerberos - should it work?

Chris chriscorbell at
Wed Mar 11 20:08:40 EDT 2009

I have a JBoss webservice app that's configured for GSS-API (Kerberos)
authentication of context tokens received from clients.  It gets the
GSS-API output token in a soap message and calls acceptSecContext().
GSS-API is configured wtih a Krb5LoginModule and a local keyTab file
(exported from AD). All of this works great.

What doesn't work great is running this JBoss app as an actual Windows
Service - the creation of the server's GSSCredentials fails with "No
valid credentials provided", which I think typically means the keyTab
file isn't found or can't be accessed.

I've tried every type of user for the Widnows Service (LocalSystem, a
local Admin user account w/password, etc.) and verified read perms on
the keyTab file.  I'm beginning to suspect it's just a problem with
having the JVM wrapped in a native service process. (I'm using the
Tanuki Java Service Wrapper).

I know this is a fairly specific configuration but I'm hoping someone
may have some experience to offer - have you been able to get a GSS-
API-enabled Java server application running as a Windows Service with
a local KeyTab file? If you have gotten this to work, did you ever see
the above symptom & is there a likely cause?  Or if not, could it be
that this simply won't work - is there something about the Java GSS-
API implementation that conflicts with running in a wrapping service


More information about the Kerberos mailing list